Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

Stealing Your Family Vacation: Memories of a Media Card

Last updated May 23, 2003.

Have you ever taken an embarrassing or exposing picture with your digital camera, but then immediately deleted it from the camera before anyone had a chance to see it? Well, we've got some news for you... that picture may still exist — and we might just have it!

Over the last few years, there has been a lot of media coverage about the kinds of data that can be recovered from used hard drives and cell phones. Everything from sensitive financial information to text message records has been pulled off these devices. The result of this exposure is that people are learning to secure their data and ensure that they properly wipe their storage devices before getting rid of them. But what are people doing with alternate forms of digital storage such as compact flash cards found in cameras, or Sony Memory Sticks that are used in PSP's? Well, we decided to investigate and this article details our results.

The Project

Early in 2004 we purchased roughly 10 hard drives off of eBay for research purposes. Our goal was to see just how much data was out there for the taking. While the results of this test were never officially reported, we found that eight of the ten formatted drives still had data on them. Using tools like Autopsy and EasyRecovery Pro, we were able to recover social security numbers, bank account details, medical records and more.

Now here we are three years later and things are a little bit better, with regards to the proper wiping of data on resold hard drives. However, at the same time, the gadget market has exploded, and with it so has digital media. Digital cameras, console systems, handheld devices, MP3 players and more are all taking advantage of cheap flash memory cards. The result is that the average consumer will have several of these media cards lying around, many of which will rarely be used because they are too small or aren't compatible with the currently owned camera. Thankfully, for us, eBay is the perfect place to dump these cards.

Unfortunately, many of these media card owners have no way to view the card, and if they do, assume that their data is properly deleted using the cameras formatting feature — at least this was our theory. So, over a period of a couple weeks we kept a close eye on eBay and snatched up a few older/smaller compact flash media cards on which we would test our theory.

File Structures and Recovery

File recovery is not a complex or overly technical process to understand. In many ways, file recovery is just glorified searching. The reason for this is that most files have a standard format, so recovering a specific file means searching a drive for data in that format. In the case of a JPG, the beginning of the file will always start with the hex values of FF D8 and end with FF D9. So, to locate all JPG's on a hard drive, a program will scan the disk until it comes to a FF D8, mark the position, continue scanning until FF D9, and extract the data in between.

There are some issues that can complicate this process. For example, large files are often fragmented across the hard drive. In this case, the scanner may detect the FF D8 value, but will fail to find the end of the file. The same would apply to a file that was partially overwritten. In addition, not all file types are easy to spot because they are raw data (i.e. text file). In this case, a program has to scan for specific strings, such as 'HTML', which may indicate a web page file.

There are many programs on the market that perform data recovery. Some are free, such as PhotoRec. Others are a bit more costly and can run you in the range of $1000 (Forensic Toolkit and DataRecovery Pro). For this exercise we are going to use PhotoRec that you can download at http://www.cgsecurity.org/wiki/PhotoRec.

Recovering the Data

The following will walk you through the steps and screens of PhotoRec as we attempt to recover deleted files from a compact flash media card. The only requirement is that you have the card inserted into some kind of reader, and that Windows recognizes the card and assigns it a drive letter. Once this criteria is met, double click the photorec_win executable, which will open a window that lists all the drives and their sizes (figure 1).

Figure 1

Figure 1: PhotoRec listing the drives available for recovery

Select the drive that most closely indicates the size of the card you are recovering files from. The larger the drive, the longer the recovery process will take.

Next select the partition table type, which will be 'Intel' for the normal media card (figure 2).

Figure 2

Figure 2: Select the correct partition table

Next select the 'empty' partition, which basically tells PhotoRec to process the whole disk.

Figure 3

Figure 3: Choosing the right options

Finally, select the destination folder and hit the letter Y (figure 4). At this time, the program will start searching the media card for files that it will extract out and save to your hard drive (figure 4).

Figure 4

Figure 4: Select the output folder

Figure 5

Figure 5: PhotoRec recovering data

Once the recovery is complete, go to the defined directory and view the images. As you can see, data recovery does not have to be difficult, time consuming, or expensive!

The Statistics and Results

Our budget for this project was roughly $100. While limiting, small capacity cards are relatively cheap. In all, we spend $70.47 on a selection of 16 cards (plus another $42.60 on shipping!). Of these, one got lost in the mail and another was dead upon arrival.

The following outlines our findings. Note that some of the cards contained content that was never deleted, which we indicate in the 'Viewable Data' field.

Card Number

Size in MB

Viewable Data

Recoverable Data

Images Found

Movies Found

 

 

 

 

 

 

 

 

 

 

 

 

 

4

*1 — this card had normal computer files (xls, doc, zip, pdf, etc).

*2 — this card had numerous files, but they were filled with 0's

Statistically, this indicates that 78% of the cards we obtained on eBay contained recoverable data. In total, we found 240 pictures, 17 movies, and a wide range of files from the card with computer files. The following lists the main subjects of the images.

  • Lots of close ups of pets, babies, teenagers, young adults and couples posing (with clothes on)
  • Teenager practicing gang signs?
  • Disney world vacation
  • Insurance company pictures (someone took pictures of various insurance agency signs from Georgia)
  • Niagara Falls and Jehovah Witness Watchtower Expose
  • Construction contractor digital log
  • People partying, getting drunk, and passing out

The evidence suggests that people are not aware that their privacy is at risk. In addition, the fact that some of the cards contained undeleted images is a bit disconcerting. At a bare minimum media card owners should have deleted the viewable images.

While these statistics may seem high, they are inline with other studies performed on used hard drives purchased from eBay. For example, in a research project performed by PointSec in 2004, it was discovered that roughly 88% of used drives contained sensitive information. In 2005, a follow up study found that 71% of drives contained recoverable data. So, it is not surprising to discover that a majority of our media cards also contained files.

Deleting the Data

Fortunately, deleting the data is not too difficult or expensive. If you are a Windows XP Professional owner, then you already have the tools needed to ensure your drive is clean. All you need to do is click Start — Run and type in cmd. Then at the command prompt, type in the following:

cipher /w:<drive letter>: Where <drive letter should be replaced by the media card drive letter that is listed in Windows Explorer (figure 6).

Figure 6

Figure 6: Using cipher to wipe a media card.

Another option for those of who prefer a GUI interface is a freely available program called Eraser. Using this program, you can over write all the empty space on a drive, which will also overwrite any data that was not truly deleted. Figure 7 illustrates this program in action.

Figure 7

Figure 7: Using Eraser to wipe a media card

Summary

In this digital era your data can reside almost anywhere. Hard drives, USB sticks, camera cards, PDA's, phones, or even a digital picture frame could hold information you wouldn't want the world to see. It only takes a few minutes to properly delete your data storage device, and if you don't know how, then it might just be worth it to physically destroy the item instead of reselling it. Hopefully the results of this project has helped to highlight the fact that all forms of digital storage should be treated the same, regardless of their size, shape, or how many MB's it might hold.